On 17/01/2018 11:31, Daniel P. Berrange wrote: > > eg consider the user asks for a tap device called eth1. To the > sysadmin the user's tap device now looks like a physical NIC. > This can be even worse if the host does physical NIC hotplug, > or uses SRIOV. eg consider the host as eth0 -> eth7 for SRIOV > NICs, and eth3 is given to a guest. Now a user uses the setuid > helper to ask for a TAP called eth3. When the SRIOV device is > later released by the guest it will end up called eth8, as the > TAP device occupies eth3. In bad cases this could even cause > the host mgmt layer to configure bogus addresses on the eth3 > TAP device instead of the SRIOV device. > > If we want to allow ifname to be set via the setuid helper, then IMHO, > the config file for the helper *must* whitelist the various permitted > naming patterns.
Indeed, a similar patch has been proposed several times, and always the response was the same as Daniel's. :) Paolo